j-gray 37 Posted September 25 Share Posted September 25 The same EEA policies are applied to all Windows 11 workstations, all are running EEA 11.1.x. In this case, all are on the same subnet. We have a select few where once EEA is installed, TCP port 3389 gets closed. Port scan with no EEA shows 3389 open and we can successfully RDP. As soon as EEA is installed, the port is no longer available and we cannot RDP. Every other Windows 11 workstation except for two on the same subnet, same 11.1.x version and same policies, port 3389 is accessible. I can't tell how/why EEA is closing the port. Firewall is disabled, but IDS is enabled to allow Network Isolation functionality. Current policy is below: Quote Link to comment Share on other sites More sharing options...
Kaneda740 1 Posted September 26 Share Posted September 26 (edited) Hi, The same it's happening in the domain that I work in everyday. Those computers or virtual machines in which Windows 11 is being installed are inaccesible through Remote Desktop connections after installing Eset Endpoint Antivirus on them. On the client side of EEA, it can be seen those blocked RDP incoming connections under Setup --> Network --> "Resolve Blocked Communication" section. Sorry for not having a solution yet, I am trying to find one. I just wanted to inform that there are more cases with the same situation. Edited September 26 by Kaneda740 Add image j-gray 1 Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,293 Posted September 26 Administrators Share Posted September 26 Is it really that no remote IP was logged? Is the IP address trusted? Asking since RDP connections are allowed only from the trusted zone and trusted networks by default. Quote Link to comment Share on other sites More sharing options...
j-gray 37 Posted September 26 Author Share Posted September 26 28 minutes ago, Kaneda740 said: Hi, The same it's happening in the domain that I work in everyday. Those computers or virtual machines in which Windows 11 is being installed are inaccesible through Remote Desktop connections after installing Eset Endpoint Antivirus on them. On the client side of EEA, it can be seen those blocked RDP incoming connections under Setup --> Network --> "Resolve Blocked Communication" section. Sorry for not having a solution yet, I am trying to find one. I just wanted to inform that there are more cases with the same situation. Thanks for this info. What's very puzzling to me is that we have at least 15 other Win11 workstations on that same subnet, all with the same ESET policies and same GPO's. ESET is blocking RDP only only two of those systems. All others show the TCP 3389 available/open. Netstat shows they're listening on that port, but it's otherwise blocked as soon as we install ESET. I can't figure out what's causing the inconsistencies. Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,293 Posted September 26 Administrators Share Posted September 26 For troubleshooting purposes you could change this setting to "All networks" and see if it helps: Quote Link to comment Share on other sites More sharing options...
j-gray 37 Posted September 26 Author Share Posted September 26 1 hour ago, Marcos said: For troubleshooting purposes you could change this setting to "All networks" and see if it helps: Yes, this opens TCP port 3389 again on those two devices. I'm still confused as to why this was impacting only 2 of 12 devices on the same subnet. Quote Link to comment Share on other sites More sharing options...
itman 1,756 Posted September 26 Share Posted September 26 2 hours ago, j-gray said: I'm still confused as to why this was impacting only 2 of 12 devices on the same subnet. You will have to research why Eset does not consider the two Win 11 devices not part of the local (trusted) subnet. Quote Link to comment Share on other sites More sharing options...
j-gray 37 Posted September 26 Author Share Posted September 26 20 minutes ago, itman said: You will have to research why Eset does not consider the two Win 11 devices not part of the local (trusted) subnet. No idea how I might discern that. Those systems are all on the same /24 subnet. They are not multi-homed and have a standard, basic network config via DHCP. Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 5,293 Posted September 27 Administrators Share Posted September 27 Perhaps comparing ELC logs from a machine where RDP communication was allowed with those from one where it was blocked would reveal the cause. Please provide me with such 2 sets of logs for a check. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.